CBPm Case Management Platform
CBPm is a secure, fully featured, extensively configurable, structured case management platform supporting user defined case records and workflows. It facilitates secure collaboration, case and task prioritisation, document management, reporting and service monitoring, legacy systems integration and advanced data handling (e.g. automating applicant vetting, invoicing)
Features
- User defined case data structures, business rules and workflows
- Powerful collaboration capabilities; ideal for secure multi-organisation workflows
- Task management, prioritisation and escalation
- Powerful management information, reporting and audit trail capabilities
- Granular role and individual information field security permissions
- Open APIs for easy integration to legacy and other systems
- Content management system and CRM interfaces including SharePoint and Salesforce
- Tablet and mobile ready
- Interfaces to Finworks’ Data Management Platform for powerful data processing
Benefits
- Fast on-boarding; team experienced in rapid alpha/beta deployments
- Efficient workflow configured specifically to your organisation’s needs
- Substantial reductions in case cycle times
- Secure working with citizens, suppliers and other agencies
- Supports direct web interaction with citizens
- Can handle complex interactions with databases and other data sources
- Provides real time business intelligence
- Powerful audit and work monitoring/review capabilities
- Secured to government standards
- Well established for mission critical deployments in the public sector
Pricing
£21 a user a month
- Education pricing available
Service documents
Request an accessible format
Framework
G-Cloud 10
Service ID
6 6 3 3 5 6 8 3 6 9 5 7 4 0 0
Contact
Fincore Limited
Mike Ellis
Telephone: +44 (0)207 397 0620
Email: government@fincore.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- Please see our Service Definition document for details of the service. This includes a section on customer technical requirements and also details support and maintenance arrangements
- System requirements
-
- Browser as per our browser specifications
- Reasonably modern PC/mobile device
- Sufficient bandwidth to access the service
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Response times will depend on the priority of the issue and support arrangement agreed. We have a reputation for highly responsive support and references can be provided on request. We can also provide custom support arrangements that meet your specific requirements
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- None or don’t know
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- We customise our support arrangements according to your individual needs. Support can be provided on either an SLA or capped effort basis, with support hours and SLA terms agreed according to your specific requirements. Support is provided by an expert team, and we have a reputation for building systems that in any case are easy to use and require little support. Please see our Service Definition document and Pricing for further details of our support arrangements
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- Our service is designed to be extremely easy to use, to the extent that some customers do not feel any need to train their staff to use it. We can however provide training, train-the-trainer support for in-house training, and relevant documentation as needed. We can also provide a full range of onboarding, configuration and other implementation services. Please see our Service Definition and Pricing documents for details
- Service documentation
- Yes
- Documentation formats
-
- HTML
- ODF
- End-of-contract data extraction
- Finworks can provide an extract of the database in XML, CSV or ODF format and any stored files in their provided document format. Alternatively, users can directly extract all customer data and files using the service's API
- End-of-contract process
- Please see the Exit Plan section of our Service Definition document
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Chrome
- Safari 9+
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- Our mobile service is provided through responsive design. All core features can be used on mobile devices that meet the browser requirements, but certain functions (e.g. where large amounts of data need to be viewed on screen) are best undertaken on a PC or tablet with a suitable screen size
- Accessibility standards
- None or don’t know
- Description of accessibility
- Our service meets substantial parts of the WCAG and EN 301 549 standards but has not been tested fully against these standards. We aim to upgrade accessibility further over the G-Cloud 9 contract period, and we would in any case address any specific issues raised in respect of individual users experiencing difficulties
- Accessibility testing
- The Digital Accessibility Centre has tested our public-facing web capabilities against the Digital Service Standard accessibility standards including with users of assistive technology. We have used the knowledge gained from this testing to improve functionality in other parts of our service to ensure that we cater for a user base with a broad variety of access needs
- API
- Yes
- What users can and can't do using the API
- The service provides an Application Programming Interface (API) which can be exposed as RESTful and SOAP-based web services. There are numerous calls, which focus on: (i) creating, updating and extracting data (all customer data can be extracted or input using the APIs); (ii) allowing users to take action within workflows; (iii) executing most of the system functionality around user management; and (iv) managing data in the service's 'Bulletin Board' (interactive dashboard), 'Workzone' and 'Basket' functions. All the API calls are documented in an interactive web page within the administration interface, with sample calls and example code to aid any team who are programming against it. A test suite, or 'sandbox', can be made available
- API documentation
- Yes
- API documentation formats
-
- HTML
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- The service is designed to be extensively user customisable in almost every area, including workflows/business processes, forms, reports, bulletin boards (interactive dashboards), livery (for customer branding) and customer-specific data model. The ability to customise a specific instance is predominantly delivered via configuration. Customers can also access and extend the functionality using the extensive API suite
Scaling
- Independence of resources
- Our DevOps team proactively monitors service performance on our standard (multi-tenanted) service, and will adjust hosting environment parameters as needed to anticipate/address performance issues. Customers can also opt for a dedicated instance of our service, with dedicated application and database virtual machines, for an additional fee. Please see our Service Definition and Pricing documents for further information
Analytics
- Service usage metrics
- Yes
- Metrics types
- We usually define a custom set of metrics with our customers as we can extract a very broad range of data from: (i) our application; (ii) our hosting environments; and (iii) our support systems. N.B. Our workflow system provides visualisation of process cycle times and bottlenecks
- Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with SSAE-16 / ISAE 3402
- Physical access control, complying with another standard
- Encryption of all physical media
- Other
- Other data at rest protection approach
- We apply a defence in depth approach to the hosting environments we provide
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Our extensive API suite supports full or partial export of the data in the database and any files stored in their original document formats
- Data export formats
-
- CSV
- ODF
- Other
- Other data export formats
-
- XML
- JPG
- PNG
- TXT
- DOC
- DOCX
- XLS
- XLSX
- Data import formats
-
- CSV
- ODF
- Other
- Other data import formats
-
- XML
- JPG
- PNG
- TXT
- DOC
- DOCX
- XLS
- XLSX
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Other
- Other protection between networks
- IP address whitelisting can be applied
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Other
- Other protection within supplier network
- We apply a defence in depth approach within the hosting environments we provide
Availability and resilience
- Guaranteed availability
- Depending on the hosting and support arrangements in place, we can offer SLA-governed availability levels of up to 99.9% (excluding scheduled downtime) with associated service credits
- Approach to resilience
- We offer a range of resilience options. Please see our Service Definition document
- Outage reporting
- We agree outage reporting arrangements flexibly with individual customers to fit in with their own processes
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Dedicated link (for example VPN)
- Username or password
- Other
- Other user authentication
- Access over government networks could also easily be provided; all the necessary security provisions are already in place. Likewise, identity federation would be easy to provide and is on our roadmap for delivery over the G-Cloud 9 framework period
- Access restrictions in management interfaces and support channels
- For our standard service, the Microsoft Azure Management Portal is used to manage the Azure accounts and requires 2 factor authentication. Support access to the Azure infrastructure and servers is via 2-factor authentication across a VPN connection. This VPN is established using public key authentication. Username and password are required for access into the active directory domain. Where hosting with an alternative cloud provider or on premise is requested, access arrangements will be agreed with the customer
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Dedicated link (for example VPN)
- Username or password
- Other
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- UKAS
- ISO/IEC 27001 accreditation date
- 21/9/16
- What the ISO/IEC 27001 doesn’t cover
- All Fincore's activities are covered, including all activities of our Finworks division
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- Yes
- Any other security certifications
- Cyber Essentials
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
-
- ISO/IEC 27001
- Other
- Other security governance standards
- Cyber Essentials scheme
- Information security policies and processes
- Fincore is accredited to the ISO27001 ISMS standard, with a regular programme of internal and external (independent) audit to monitor and maintain compliance. Fincore is also accredited to the ISO9001 quality management standard, and is registered with the Information Commissioner's Office for data protection
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- Changes come from three sources: users/customers, the product manager and the dev/QA team. Configuration and development requirements are specified by a business analyst. The changes are prioritised by a Change Advisory Board. Jira is used to track the lifecycle of these changes. Implementation approaches are reviewed by a solutions architect and a code review takes place during the development process. These reviews ensure that the code is functionally robust and secure. The QA team tests the code before release. We agree UAT, change and release management processes flexibly with individual customers to fit in with their own processes
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- We undertake threat reviews when we make changes to our software or infrastructure and when new threats are made public. We carry out regular penetration testing and our CSO monitors security information sources. Our VP Engineering is responsible for addressing any vulnerabilities identified. The speed of patching is proportionate to the level of threat identified
- Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- We have an IDS/IPS in place and anti-malware software on all Windows servers. We collate log files centrally from all relevant system components, and these are reviewed daily by the devops team. When unusual activity is identified, it is escalated to our VP Engineering who, in consultation with our CSO, will determine the appropriate course of action. Uptrends and Microsoft's Azure's Operations Management System and Security Centre are also used for monitoring
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- When incidents occur, they are triaged by a Service Manager who co-ordinates the response in accordance with our ISO27001 policies and procedures. Our team and customers may report incidents by phone or email, or enter them directly into our helpdesk system. Major incidents will be escalated immediately to Director level. The Service Manager provides regular updates and an incident report on resolution
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- Yes
- Connected networks
- Other
Pricing
- Price
- £21 a user a month
- Discount for educational organisations
- Yes
- Free trial available
- No